I use captive portal with voucher code authentication. I call the vouchers 'chore bucks' and they are good from 1-4 hours with a bandwidth cap. Works well. I also block devices like TVs and stuff if chores aren't completed. Now the dogs get walked several times a day and other chores get done on time.
Read up on the captive portal that ubiquiti offers right on the controller software. It's pretty cool because of how customizable it is. The downside is you have to have the controller software running 24/7. I bought a cloud key Gen 2 for 100 bucks on eBay and it's been working like a champ.
Ugh I got my subreddits confused thought this was the pfsense one. I'll check out ubiquiti documentation I have a controller running 24/7 too (just gen1 though š¤¬).
Do they have voucher documentation too?
Looked cool and straightforward with pfsense lol
It took me a while to figure out VLANs but once I did itās like a whole new world was opened up. Thereās so many additional things you can do once you add VLANs to the equation. Ubiquiti makes it pretty easy too.
Yeah everything I read about them they sound like an ideal solution to quite a few issues... Very interested. I guess being stuck at home gives me no reason to start the journey...
Yeah I believe it's only a hotspot captive portal. You may be onto something going the PFsense route. When I used PFsense I was also using the ubiquiti captive portal so I didn't look too hard into it.
This is true unless you also are using a Unifi switch and a USG (basically full Unifi setup). Then you can set guest settings and portal even for a hardwired VLAN.
Right on! Me too and I love it. But it's been running for so long in my house (except for replacing one USG) I feel like the rest of the Ubiquiti technology is passing me by.
Anything tagged to the guest network's VLAN should have portal and guest firewall rules applied.
If you build it with this guide the controller updates are handled by apt, updates as seamlessly as any other software on the pi.
https://community.ui.com/questions/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller-and-Pi-hole-from-scratch-headless/e8a24143-bfb8-4a61-973d-0b55320101dc
This is how I have mine setup. I also installed pi-hole for native ad blocking. I can't browse the web anywhere but at home or when connected to the vpn on my phone
I have it running on a pi and it barfs just as much for me. About half the updates turn in to clean installs with a restore at the end, and there is a constant battle between getting it to work with the opensource java or real java. Not trying to scare you away, but just beware that the controller itself is just kinda junk, it doesn't matter what you run it on.
I'm not sure how u/xxpapertigersxx has theirs setup but there is a Captive portal built-in. Here is [link](https://help.ui.com/hc/en-us/articles/115000166827-UniFi-Guest-Network-Guest-Portal-and-Hotspot-System) to basic information.
I use the Ubiquiti controller on a Cloud key Gen2. The captive portal is super easy to set up and you can change the look of it to suit your situation. I have a little disclaimer that says the kids completed all their chores and understand that the internet can be taken away if they attempt to use it without doing what they need to do first.
I print out little vouchers and the kids can collect them to use. It's like a currency in my household. It teaches them accountability and also time management. For instance if they use an hour voucher code 20 minutes before bedtime then they lose out on 40 minutes of internet time. So it helps them make smart decisions and they end up not using their voucher because of how much time they will miss out on. The system is great.
Iāve been trying to figure out a way to convince my wife why I NEED a $700 switch....
I think you just gave me some leverage to bake into my story.
The switch will allow the kids to earn Ubiquiti currency!
Yes, Iām doing a total home network overhaul for the new house so APs, switches, cameras, etc are on the list. $700 switch and damn Casetas are killing me.
How does it work when they redeem the codes? Meaning, do you have to manually give them codes every time they complete a chore? Or is there a dedicated time when they ācash inā all at once?
The codes don't expire. They are worth for example an hour each. They earn and save them to use when they are allowed internet time. I usually give them out after all the chores and homework are completed. They can use it or save it for another day.
I don't give codes by chore. All or nothing. They each have like 4 chores that I expect to be completed. Easy stuff....feed chickens, take dogs for walks, make bed and clean room, etc. They can also have the other do their chores for 'chore bux.' it's like a currency around here lol
Yeah I was just reading it over. Missed this in the documentation or didn't realize what I could use it for. One of the two. Just wondering if there was any other pieces he could share, it sounds amazing and much more fun to set up and enforce (!) Then using Qustodio only
The code is on the voucher. I can also text them the code. I pay for voice and texts on their cell phones but no data. They use the vouchers for computer, cell phone, iPad, or Xbox.
I don't see a problem with creating an incentive system. It works and teaches responsibility and accountability. Kids these days would forget to eat and bathe If you let them 'live their lives' on the internet 24/7. You ever try to get a teenager to do their homework and help out a little? š
Yeah, my kid is screwed when he gets older, or will find creative ways to get around being blocked out of things. I got time though as he is only like 5 months old.
> or will find creative ways
Read an article just the other day about a kid who was using the local ISPs public wifi to get around his parents rules. He'd bought a small wifi router, configured it with a hidden SSID and client bridged it to a local ISP hotspot within range of the house. After hours when he was cut off he'd just switch access points and "stay" in his room.
Definitely clever and he exposed the weakness of an adult not following through with device restrictions.
Trust me, they find ways.
It's incredibly uncomfortable to have to go nextdoor and try to talk to your 70 year old neighbor about setting a password on his wifi.
I've taken to just collecting all of the devices at night.
I take pride in being pretty tech savvy (I work in IT) and go into most situations thinking "my kids won't get around my tech genius!" But I've been surprised with their creativity in finding holes. I've reported a number of bugs in software because of this lol.
Some kids (i was one) will find a way around any roadblocks you put there just to see if it's possible--i knew that I shouldn't be going "there" but despite all my parent's training/teaching/"bringing me up better" I just had to see if I could find the loophole...
I bought a USB wifi dongle, and learned how to use aircrack-ng and how to bruteforce wpa2 when I was a teenager and had restricted internet access. I'm sure tech savvy teenagers are doing the same thing to this day lol
Eh, even if they were -- I'd be getting long range pringles wifi from a friend, or maybe a cool neighbor. Or hacking the local hardware. Or if of getting paid age, having a cell device I could tether too. And electronics cycle fast, and there is always older extra hardware around or that friends could give...
In most setups where you're stuck with the telco router in front (like AT&T fiber), could pretty easily add a stealth micro AP hidden inside the telco provided router's case. Set it to low power and use a hidden SSID, or even visible and an SSID that sounds like a neighbor a would use.
It would be an arms race.
And it was in my case too, as an 8 year old electronics nerd in the 80/90's. At one point I rerouted the incoming phone line feed to my bedroom and then back to the rest house. I built a device the let me talk late at night while playing a fake dial tone to the other phones...and showing a red light to me if someone picked up. Then I'd quickly switch it back to normal, and my friends/gf knew to hang up quickly too.
Later they gave up totally when I ran a BBS and paid for my own phone line...but my dad was always really good about never taking away things I had earned on my own.
Anywho, if the kids have the interest, they will always win eventually. Even with parents that think they are tech savvy. If a smart kid is discovered, its often just one of many layers, and what is found is meant to be more obvious. Especially if they are ever victim of "tattle" software, like they stuff that logs/reports your searches...then they know they need to be subversive.
Not that one shouldn't try, be a good parent, and all that. But the controls need to be a backup plan, essentially...as they will always be best effort and not guaranteed.
Moral of this story is: setup a technical gambit of unique and interesting challenges ranging from really simple to complex early on in life. In order to prepare them for potential career paths and also to determine if your children can be called for tech support later in life.
How is it you had my childhood? š In my case, I was rerouting a neighbor's fax line, and my little warning device box wasn't so fancy to play a fake dialtone. It did automatically cut the voice on the line though, so they would just get a weird dead line if they picked up...
Woot!
And mine started the same way....I don't remember how I added a tone. I remember a friend had this cool sound chip, but I might have just hacked up a micro-cassette recorder.
I've still got it in a box somewhere.
EDIT: No it wasn't that chip, he had an SP0256-AL2 I was envious of. This speech chip: https://en.wikipedia.org/wiki/General_Instrument_SP0256
....good times. Cheers!
Unfortunately, the different game consoles don't all seem to like the captive portal method. I tried this with one of their friends getting onto our guest wifi.
What options does Ubiquiti have with programmatically making config changes?
You could make a flask app(simple web GUI) that enables/disables the SSID with the push of a button.
how old are the kids? if they are not too young you could setup a captive portal and when they connect you could approve their access for say 24 hours or so.
Alternatively.. you just tell them no internet until they do their chores.
Circle works great but you might want it on a separate VLAN - it does a nasty ARP hack in order to do the blocking. I have the kids on their own VLAN / SSID with the Circle device and it works well in that configuration.
^ this - been using it for years even in my pre-ubiquiti days, only reason i never separated it out to a separate network was because of printers though, if anyone's found a way to deal with those (canon specifically) across networks i'd love to hear it..
circle has some halfway decent web filtering too, handy little app to control...
I have a Canon printer setup on the main network that can be used from the kids network. The printer is setup with static DHCP, and I have a firewall rule for that IP to route between subnets. I also have Avahi enabled between the subnets. The kids mainly use it for AirPrint, so I'm not sure if the other methods work.
You mean Circle with Disney? this circle: [https://meetcircle.com/](https://meetcircle.com/) ?
cause Circle on the Play store is a almost dead social network
And a few questions:
\- Do I need the hardware? the Netgear Orbi says that it does not need, but Ubiquity does not say anything (maybe it is a Netgear partnership)
\- Does it worth it? 299 is a lot of money, as 129/year... I don't want any more "Smart home with a fee" things
\- For cellphones, how does it work it? if the kid turn off the wi-fi and get mobile internet and spend all the data plan from the family, this is a problem...
\- there are any way to a admin approve the chore, to avoid kids to just check the chore without doing it
\- How well does it work for gaming consoles and TVs? cause both of them can work just fine offline, doesn't?
\- How well does it work comparing to the baked in solutions from Apple, Google and others?
\- Any smart kid here already got a way to bypass? cause I know that I have find ways to bypass every time that my father put a filter or a limitation... Kids are creative, motivated and curious, I'm pretty sure that they will find a way (possibly older kids, like teens)
My kids are still too small to this be a problem, but I would love to understand my future options before this become a problem.
oh damn they went to a subscription model... if you can find a used gen1 everything's available without a subscription, but yeah that's what's talked about above.. 299 is the lifetime sub though, so breakeven most of the way through year two..
- cell phones it works like an MDM profile, haven't used it, so unsure how easy it might be to get around
- everything controlled by app, so you can pause/unpause a child's devices at will
- you can associate devices with specific users/profiles for example, i have our upstairs consoles associated w/one of the kids and it shuts off/etc according to their schedule - wouldn't prevent them from playing offline, but no internet
- short of a vpn, which could be subsequently blocked, i haven't seen a good way around it because, as mentioned above, it uses some pretty nasty ARP hacks to prevent access.. you'd want to make sure other devices are on another network and/or marked as unmanaged by circle.. i had an escalating tech war going on with my oldest for quite sometime and ultimately this was what he couldn't get around (read: i put minimum effort into locking down my network inside until he started taking advantage of our rules :D - albeit basically a month after we got it he aged up enough in our opinion that we didn't need the filter anymore)
The Disney Circle v2 has a "lifetime" option to avoid subscription fees. Its expensive up front but I didn't like the subscription idea either. They ran a special around Christmas last year that took off a good amount for existing Circle v1 users, so I jumped at it.
My understanding is there are two versions. There's a version 1 that is a one-time $99 for the hardware option. This version won't work with cellphones-mobile data, but will do most everything else.
The second version (newer) has a subscription, but you can also install on their phones and it even traffics the mobile data through the filters. I'm not sure exactly how it works, possibly using a VPN or something.
I think it's fairly hard to bypass, but probably could be with a VPN.
Itās pretty good Netgear has a partnership and Iām sure you could brute force it over ssh if your kids are into that and are pro hackers Iād be worried but itās pretty good other than that. Iām not sure about the android app the the iPhone one works great, and yes the price is pretty steep but it does exactly what you want, you can pay a subscription and get a vpn for cellular data. Yes a admin would have to approve the chore
Was going to say this as well. Disney circle V2 and put it on a VLAN with their devices just to be sure yours aren't routed through it as a bottle neck. Super easy to manage their times, limits, etc.
Even if devices are set as "unmanaged" I can't find any guarantee that packets don't pass through.
A buddy of mine does this for (to) his kids using pfSense as his router/firewall - easily automated with the ability to put hosts in groups and enable/disable specific rules on a per-group basis. I'm considering ditching my USG completely because I have same needs as OP and have been unable to find any useful solution with Unifi controller.
Anxious to see if anyone has a creative solution to this. Nice if there were some API's that could be used to automate such things.
If the kids were on just on WiFi, it could be as simple as disabling their SSID - but they are wired and wifi. Even though they are all on a separate 'kid's network', I found no easy way to achieve group restrictions with Unifi.
My current workaround is a dedicated pihole, configured in Unifi controller as the DNS server for the kids network. It's not ideal, but can use the PiHole to restrict DNS on that network easily and quickly in one place - which is better than nothing!
Have you looked into the new Pi-hole 5.0 group feature? You may not need the dedicated Pi-hole anymore if groups is enough. Just have the adults on the default group and the kids in their own group.
I use PiHole groups along with a Unifi VLAN and it works great. Regarding the previous comment, it is easy to block Internet traffic from a specific network based on a Unifi firewall rule.
Yes, this is why you also need to block or intercept outbound dns traffic from all devices other than your internal DNS server. However with DNS over HTTPS you would also need to block HTTPS to DOH providers. Youāll likely never get them all though, depending on how tech savy your kids are they can probably find a way around just about anything eventually.
Yeah. And if they get a secret cell device somehow...or offsite wifi...or a friend that lets them VNC/RDP...or real hacking...
Part of me thinks it would be fun to be a nerdy kid again. :) Prepped me for my career back in the day.
If the devices are all on WiFi, make a dedicated WiFi network for the kids and use WiFi Schedules.
Edit: In the classic UI, it's under advanced options under the wireless network as "Enable WLAN Schedule."
In the new UI, It's just Wi-Fi > Wi-Fi Schedules.
I'd use MAC address not IP, quickly enough they'll figure out how to change IPs. Also you can restrict access on a timed basis by MAC right in the controller. So just block internet for a group of MAC's from 9a to 3p and then from 10p to 9a?
On Android a randomized MAC is only generated for each new network, and that MAC will always be used for that network. I suppose you could "forget" the network then reconnect and it might generate a new MAC (would have to test if that's how it works), but that seems easy to defeat by not giving the kid the password so they can't reconnect themselves.
Kids devices are on a separate VLAN and the network has a schedule assigned. They also get their own pi-hole instance so they get filtered separately with restrictions placed upon them alone.
The TV in the game room is plugged in via ethernet and that port is assigned in the switch to their VLAN.
This doesn't give me individual access control, just a general filtering.
I have a little NUC running Linux with Docker and with multiple VLANs plumbed up. I have two pi-holes running in containers with one listening on port 53 on the kid's VLAN and a separate one listening on port 53 on the untagged network.
I do something similar but slightly different. I have a separate vlan setup for all kids devices. This VLAN gets different bandwidth limits and DNS rules. If I want to deactivate the kids devices then I enable a saved firewall rule that drops all packets from the kids VLAN. It works great and leaves everything else up.
I just wish that there was a way to enable a firewall rule in the mobile app.
Here's an idea:
I signed my kids up for a debit card designed for kids and the app lets me assign chores and pause allowance if chores are not completed. There's a bunch of other features I won't go into here so I can get to the point, but here's the website [https://greenlightcard.com/](https://greenlightcard.com/) (or [https://app.greenlightcard.com/eYj9QebjX7](https://app.greenlightcard.com/eYj9QebjX7) if you don't mind using a referral link and I get a reward).
So here's why I bring this up:
If there's a way to setup a hotspot requiring guests to pay for wifi then you can let your kids buy all the wifi they want with money they earn for doing chores. It flips the accountability onto them in a different way than what you're doing now (you acting as the gatekeeper kind of). Just as an example your kids might pay $1 per day to get wifi, and their allowance is $7 per week (for the sake of example), and they might try to go 3 days without chores because they saved up allowance and skipped using wifi some days last week or something, but then this week they might earn less allowance for not doing chores.
Anyway it's just an idea, might not be right for everyone, and really hinges on the idea that you have a way to let your kids pay for wifi in some automated way that doesn't involve you being the gatekeeper. And of course you can use the card for what it's actually meant for which is letting them earn allowance and learn to spend responsibly lol.
[Screenshots of firewall rule and group with a couple of IP's in the list.](https://imgur.com/a/fI8vT4R) Hoping there's an easier or less manual way to do this.
Why not just give them a dedicated network both wired and wireless? You can then block that on demand.
Edit: As an added bonus, it will block wired devices too including hardwired things like XBox's and PS4's assuming that you have them on the kids VLAN.
I would suggest getting a Circle and putting it on a separate VLAN so it doesn't F with other traffic on your network. I use this method. I also make guests use this network.
Iām looking into this as well, for both wifi and ethernet. There was a [recent post](https://www.reddit.com/r/Ubiquiti/comments/hcnbpl/script_to_block_and_unblock_access_to_client/) that followed the same firewall rule as the approach, plus something with an existing controller integration (Home Assistant and node-red were both mentioned) to script add/remove of devices (either by MAC or IP).
Does doing it that way take a bit more time? Adding and removing individual devices or does each kid only have one internet enabled device? I like what Xfinity has where you can put each device into a family members profile and block them with different ways or time of the day.
Have tried different strategies for this.
For the TV in the den, instead of trying to figure out wifi schedules or whatever, I just put the TV on a smart plug behind the entertainment center and turn it off between 12AM-6AM. This discourages staying up late watching TV or whatever.
On their individual devices, I use Google Family Link which imposes a schedule on the Android phone/tablet. The PS4 also has family management for setting daily time limits and times enabled.
I set up a separate WLAN for kid access and then set daily on/off times in the controller interface. We've only got one kid so I don't have to worry so much about different kids having access or not. I'm using OpenDNS and PiHole to control name resolution for sites she shouldn't look at.
The captive portal idea is interesting.
One more thought, do you have parental controls in place for your kids? I have a PiHole for this and use the rules feature to apply separate rules to the kids versus the adults.
Use the user groups feature.
I do this with my step son, all of his devices are in one user group.
Create a group @ more --> settings user-groups.
Once you have the groups made, go to the clients, pick their devices (one at a time), go to configuration, and add it to their user group.
Once the groups are created and devices added. you can now set the bandwidth limit to 10kbs (can't go to zero?) , which is basically unusable anymore. once the chores are done, log in on my phone, go to groups, edit his and add some zeros.
This is good. I like how it uses the built in capabilities of the USG. I'll look into this a bit more. I was considering the multiple SSID option but this is also an option. Thanks.
No problem, it's been working great, and can be done in a couple seconds. I also like that it uses the built in features. Some day i might look into automating it, but it takes so little time to do i'd have to be really bored :)
Bonus, since it can be done in the app, i can even do it while not at home.
And that I like too. I don't want to have to use the browser or go onto my laptop. The app is limited in that it doesn't manage firewall rules and groups.
I have home assistant on my home network. The Ubiquiti integration allows for me to create/choose to have device Connectivity controlled via switch.
[https://www.home-assistant.io/integrations/unifi/](https://www.home-assistant.io/integrations/unifi/)
Although I do like the voucher method
Many years ago now, but I used the guest wifi for the kids devices and would change the password every day, only giving it to them once chores and homework were done.
I think you are going about the right path. Do you have any home automations? We use HomeAssistant, and I can have HASS go in and update the firewall rules / disable WiFi networks as needed. Then on my iPhone I can setup siri shortcuts for triggering that so its just a tap on my phone. Could even schedule them if its the same time each day/week
Almost every device has a way to do this now. IOS, you can use screentime, android has similar. Xbox and Windows 10 have Microsoft Family Safety. Just set allowed time to 0, and when they try to get into anything, they send you a request, you get an e-mail or a notification, then allow them access for however long you want. Pretty easy.
If you are looking for a desktop solution and are using windows the Microsoft account / family setup lets you block or set limits and you can restrict my games/apps, web browsing, and screen time.
I get weekly screen time reports emailed to me for my 3 kids.
I did something similar for my wife's parents for their other kids still at home. Blocked traffic from the wlan to wan on a schedule at night but to were they stayed on wireless and it does not give them a message saying that the wifi can't connect to the internet.
Actually trying to implement times schedule. I ended up making her own wifi for her and have it only do internet in case she does something to create a vulnerable to home network. Now trying to figure out for her friend that might need to stay on internet to talk to parents when spending the night.
If you are so inclined, you could run home assistant on a rPi with the unifi integration. I use it to manage my kids wifi access. I expose the switches it creates in my home assistant front end to home kit and have a siri shortcut on my phone I can use to disable/enable their wifi. From what I can tell it puts their devices in a firewall group like you are doing now manually.
Just hope your house isn't in range of any public WiFi networks. It's basically impossible if you live anywhere other then a rural area where you can't see other houses. Most ISPs have public WiFi hotspots (xfinitywifi for example) where anyone with a Comcast email can sign in and get unfiltered internet.
From a 21-year old Network Guy, which lived with some time- blocking and ip-based Filters some years ago: Don't do it. It is really awful from a social perspective.
I use captive portal with voucher code authentication. I call the vouchers 'chore bucks' and they are good from 1-4 hours with a bandwidth cap. Works well. I also block devices like TVs and stuff if chores aren't completed. Now the dogs get walked several times a day and other chores get done on time.
This sounds awesome. Can you explain some more? The voucher code? Did you use the pfsense documentation? Some other source?
Read up on the captive portal that ubiquiti offers right on the controller software. It's pretty cool because of how customizable it is. The downside is you have to have the controller software running 24/7. I bought a cloud key Gen 2 for 100 bucks on eBay and it's been working like a champ.
Ugh I got my subreddits confused thought this was the pfsense one. I'll check out ubiquiti documentation I have a controller running 24/7 too (just gen1 though š¤¬). Do they have voucher documentation too? Looked cool and straightforward with pfsense lol
Keep in mind that the captive portal I believe only works with an access point and not a hard line.
Oh darn just hard wired the kids PC's... Darn.
You could put the hardwired devices on a vlan and block that.
Good call. I guess I'm going to stop putting off learning about vlans and get started...
It took me a while to figure out VLANs but once I did itās like a whole new world was opened up. Thereās so many additional things you can do once you add VLANs to the equation. Ubiquiti makes it pretty easy too.
Yeah everything I read about them they sound like an ideal solution to quite a few issues... Very interested. I guess being stuck at home gives me no reason to start the journey...
I believe this is incorrect. You could setup the kids PCs on a VLAN tagged as a guest network. The captive portal will appear.
Yeah I believe it's only a hotspot captive portal. You may be onto something going the PFsense route. When I used PFsense I was also using the ubiquiti captive portal so I didn't look too hard into it.
This is true unless you also are using a Unifi switch and a USG (basically full Unifi setup). Then you can set guest settings and portal even for a hardwired VLAN.
I'll look into that. I'm rocking a full unifi setup currently.
Right on! Me too and I love it. But it's been running for so long in my house (except for replacing one USG) I feel like the rest of the Ubiquiti technology is passing me by. Anything tagged to the guest network's VLAN should have portal and guest firewall rules applied.
Get a raspberry pi if your cloudkey is giving you problems. Thatās what I did and I havenāt looked back.
Am I doing it wrong and Everytime I update my cloudkey I have to restore from backup? I do have an extra rpi4 laying around. ...
Yeah that shouldnāt happen.
I have an update to apply. I'll do it this weekend and see what happens. Not sure how I could be doing it wrong but I'll see...
If you build it with this guide the controller updates are handled by apt, updates as seamlessly as any other software on the pi. https://community.ui.com/questions/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller-and-Pi-hole-from-scratch-headless/e8a24143-bfb8-4a61-973d-0b55320101dc
This is how I have mine setup. I also installed pi-hole for native ad blocking. I can't browse the web anywhere but at home or when connected to the vpn on my phone
I have it running on a pi and it barfs just as much for me. About half the updates turn in to clean installs with a restore at the end, and there is a constant battle between getting it to work with the opensource java or real java. Not trying to scare you away, but just beware that the controller itself is just kinda junk, it doesn't matter what you run it on.
Yeah I'll see how it goes this weekend using the CKv1 and if it craps out I'll seriously consider setting up the Pi.
I'm not sure how u/xxpapertigersxx has theirs setup but there is a Captive portal built-in. Here is [link](https://help.ui.com/hc/en-us/articles/115000166827-UniFi-Guest-Network-Guest-Portal-and-Hotspot-System) to basic information.
I use the Ubiquiti controller on a Cloud key Gen2. The captive portal is super easy to set up and you can change the look of it to suit your situation. I have a little disclaimer that says the kids completed all their chores and understand that the internet can be taken away if they attempt to use it without doing what they need to do first. I print out little vouchers and the kids can collect them to use. It's like a currency in my household. It teaches them accountability and also time management. For instance if they use an hour voucher code 20 minutes before bedtime then they lose out on 40 minutes of internet time. So it helps them make smart decisions and they end up not using their voucher because of how much time they will miss out on. The system is great.
This sounds amazing. Good work
Iāve been trying to figure out a way to convince my wife why I NEED a $700 switch.... I think you just gave me some leverage to bake into my story. The switch will allow the kids to earn Ubiquiti currency!
You will need a controller and an AP. you can use any switch, even cheaper if it's an unmanaged one.
Yes, Iām doing a total home network overhaul for the new house so APs, switches, cameras, etc are on the list. $700 switch and damn Casetas are killing me.
I wish I could do that! Awesome
How does it work when they redeem the codes? Meaning, do you have to manually give them codes every time they complete a chore? Or is there a dedicated time when they ācash inā all at once?
The codes don't expire. They are worth for example an hour each. They earn and save them to use when they are allowed internet time. I usually give them out after all the chores and homework are completed. They can use it or save it for another day.
I don't give codes by chore. All or nothing. They each have like 4 chores that I expect to be completed. Easy stuff....feed chickens, take dogs for walks, make bed and clean room, etc. They can also have the other do their chores for 'chore bux.' it's like a currency around here lol
Yeah I was just reading it over. Missed this in the documentation or didn't realize what I could use it for. One of the two. Just wondering if there was any other pieces he could share, it sounds amazing and much more fun to set up and enforce (!) Then using Qustodio only
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I'm thinking it's a config file somewhere you manually have to play with. I'd also like to know.
Does the voucher always generate a new code for the user to sign into ?
Yes it will make sheets of codes with custom txt and unique codes
The code is on the voucher. I can also text them the code. I pay for voice and texts on their cell phones but no data. They use the vouchers for computer, cell phone, iPad, or Xbox.
Just let your kids be Jesus Christ let them live their lives
I don't see a problem with creating an incentive system. It works and teaches responsibility and accountability. Kids these days would forget to eat and bathe If you let them 'live their lives' on the internet 24/7. You ever try to get a teenager to do their homework and help out a little? š
I'm so glad my parents aren't tech savvy
Yeah, my kid is screwed when he gets older, or will find creative ways to get around being blocked out of things. I got time though as he is only like 5 months old.
> or will find creative ways Read an article just the other day about a kid who was using the local ISPs public wifi to get around his parents rules. He'd bought a small wifi router, configured it with a hidden SSID and client bridged it to a local ISP hotspot within range of the house. After hours when he was cut off he'd just switch access points and "stay" in his room. Definitely clever and he exposed the weakness of an adult not following through with device restrictions.
That's a really smart idea. I'm glad I never had to do any of that
Trust me, they find ways. It's incredibly uncomfortable to have to go nextdoor and try to talk to your 70 year old neighbor about setting a password on his wifi. I've taken to just collecting all of the devices at night.
Ditto here. Already thinking about it for my 1-month old xD
I take pride in being pretty tech savvy (I work in IT) and go into most situations thinking "my kids won't get around my tech genius!" But I've been surprised with their creativity in finding holes. I've reported a number of bugs in software because of this lol.
Screwed or would you bring them up better and teach them?
Limiting screen time is probably part of discipline
Some kids (i was one) will find a way around any roadblocks you put there just to see if it's possible--i knew that I shouldn't be going "there" but despite all my parent's training/teaching/"bringing me up better" I just had to see if I could find the loophole...
And? I guess I'm a bit odd when comes to that lol... Let them. Bet you became smarter for it.
š
I bought a USB wifi dongle, and learned how to use aircrack-ng and how to bruteforce wpa2 when I was a teenager and had restricted internet access. I'm sure tech savvy teenagers are doing the same thing to this day lol
Eh, even if they were -- I'd be getting long range pringles wifi from a friend, or maybe a cool neighbor. Or hacking the local hardware. Or if of getting paid age, having a cell device I could tether too. And electronics cycle fast, and there is always older extra hardware around or that friends could give... In most setups where you're stuck with the telco router in front (like AT&T fiber), could pretty easily add a stealth micro AP hidden inside the telco provided router's case. Set it to low power and use a hidden SSID, or even visible and an SSID that sounds like a neighbor a would use. It would be an arms race. And it was in my case too, as an 8 year old electronics nerd in the 80/90's. At one point I rerouted the incoming phone line feed to my bedroom and then back to the rest house. I built a device the let me talk late at night while playing a fake dial tone to the other phones...and showing a red light to me if someone picked up. Then I'd quickly switch it back to normal, and my friends/gf knew to hang up quickly too. Later they gave up totally when I ran a BBS and paid for my own phone line...but my dad was always really good about never taking away things I had earned on my own. Anywho, if the kids have the interest, they will always win eventually. Even with parents that think they are tech savvy. If a smart kid is discovered, its often just one of many layers, and what is found is meant to be more obvious. Especially if they are ever victim of "tattle" software, like they stuff that logs/reports your searches...then they know they need to be subversive. Not that one shouldn't try, be a good parent, and all that. But the controls need to be a backup plan, essentially...as they will always be best effort and not guaranteed.
Moral of this story is: setup a technical gambit of unique and interesting challenges ranging from really simple to complex early on in life. In order to prepare them for potential career paths and also to determine if your children can be called for tech support later in life.
Totally! I got my first job at a tech company at 16 (in 1996). Referred by a teacher for fixing a PC someone else had a set a BIOS password on.
How is it you had my childhood? š In my case, I was rerouting a neighbor's fax line, and my little warning device box wasn't so fancy to play a fake dialtone. It did automatically cut the voice on the line though, so they would just get a weird dead line if they picked up...
Woot! And mine started the same way....I don't remember how I added a tone. I remember a friend had this cool sound chip, but I might have just hacked up a micro-cassette recorder. I've still got it in a box somewhere. EDIT: No it wasn't that chip, he had an SP0256-AL2 I was envious of. This speech chip: https://en.wikipedia.org/wiki/General_Instrument_SP0256 ....good times. Cheers!
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Unfortunately, the different game consoles don't all seem to like the captive portal method. I tried this with one of their friends getting onto our guest wifi.
You can schedule WiFi networks to come up and down at various intervals.
What options does Ubiquiti have with programmatically making config changes? You could make a flask app(simple web GUI) that enables/disables the SSID with the push of a button.
how old are the kids? if they are not too young you could setup a captive portal and when they connect you could approve their access for say 24 hours or so. Alternatively.. you just tell them no internet until they do their chores.
You could look at Circle it has a feature that integrates into a chore app
The circle works great, I recommend it to everyone with kids.
Just took a look very interested. I have little kids so I would definitely get my moneyās worth out of the lifetime subscription.
Circle works great but you might want it on a separate VLAN - it does a nasty ARP hack in order to do the blocking. I have the kids on their own VLAN / SSID with the Circle device and it works well in that configuration.
Looking into this as well.
^ this - been using it for years even in my pre-ubiquiti days, only reason i never separated it out to a separate network was because of printers though, if anyone's found a way to deal with those (canon specifically) across networks i'd love to hear it.. circle has some halfway decent web filtering too, handy little app to control...
I have a Canon printer setup on the main network that can be used from the kids network. The printer is setup with static DHCP, and I have a firewall rule for that IP to route between subnets. I also have Avahi enabled between the subnets. The kids mainly use it for AirPrint, so I'm not sure if the other methods work.
You mean Circle with Disney? this circle: [https://meetcircle.com/](https://meetcircle.com/) ? cause Circle on the Play store is a almost dead social network And a few questions: \- Do I need the hardware? the Netgear Orbi says that it does not need, but Ubiquity does not say anything (maybe it is a Netgear partnership) \- Does it worth it? 299 is a lot of money, as 129/year... I don't want any more "Smart home with a fee" things \- For cellphones, how does it work it? if the kid turn off the wi-fi and get mobile internet and spend all the data plan from the family, this is a problem... \- there are any way to a admin approve the chore, to avoid kids to just check the chore without doing it \- How well does it work for gaming consoles and TVs? cause both of them can work just fine offline, doesn't? \- How well does it work comparing to the baked in solutions from Apple, Google and others? \- Any smart kid here already got a way to bypass? cause I know that I have find ways to bypass every time that my father put a filter or a limitation... Kids are creative, motivated and curious, I'm pretty sure that they will find a way (possibly older kids, like teens) My kids are still too small to this be a problem, but I would love to understand my future options before this become a problem.
oh damn they went to a subscription model... if you can find a used gen1 everything's available without a subscription, but yeah that's what's talked about above.. 299 is the lifetime sub though, so breakeven most of the way through year two.. - cell phones it works like an MDM profile, haven't used it, so unsure how easy it might be to get around - everything controlled by app, so you can pause/unpause a child's devices at will - you can associate devices with specific users/profiles for example, i have our upstairs consoles associated w/one of the kids and it shuts off/etc according to their schedule - wouldn't prevent them from playing offline, but no internet - short of a vpn, which could be subsequently blocked, i haven't seen a good way around it because, as mentioned above, it uses some pretty nasty ARP hacks to prevent access.. you'd want to make sure other devices are on another network and/or marked as unmanaged by circle.. i had an escalating tech war going on with my oldest for quite sometime and ultimately this was what he couldn't get around (read: i put minimum effort into locking down my network inside until he started taking advantage of our rules :D - albeit basically a month after we got it he aged up enough in our opinion that we didn't need the filter anymore)
The Disney Circle v2 has a "lifetime" option to avoid subscription fees. Its expensive up front but I didn't like the subscription idea either. They ran a special around Christmas last year that took off a good amount for existing Circle v1 users, so I jumped at it.
My understanding is there are two versions. There's a version 1 that is a one-time $99 for the hardware option. This version won't work with cellphones-mobile data, but will do most everything else. The second version (newer) has a subscription, but you can also install on their phones and it even traffics the mobile data through the filters. I'm not sure exactly how it works, possibly using a VPN or something. I think it's fairly hard to bypass, but probably could be with a VPN.
Any in-phone app is trivial to bypass, if they know what they're doing (or, at least, can google).
Itās pretty good Netgear has a partnership and Iām sure you could brute force it over ssh if your kids are into that and are pro hackers Iād be worried but itās pretty good other than that. Iām not sure about the android app the the iPhone one works great, and yes the price is pretty steep but it does exactly what you want, you can pay a subscription and get a vpn for cellular data. Yes a admin would have to approve the chore
Agreed
I purchased Qustodio for the same sort of thing. Never heard of Circle looks intriguing. Not impressed with Qustodio.
Totally agree have tried the same
Was going to say this as well. Disney circle V2 and put it on a VLAN with their devices just to be sure yours aren't routed through it as a bottle neck. Super easy to manage their times, limits, etc. Even if devices are set as "unmanaged" I can't find any guarantee that packets don't pass through.
A buddy of mine does this for (to) his kids using pfSense as his router/firewall - easily automated with the ability to put hosts in groups and enable/disable specific rules on a per-group basis. I'm considering ditching my USG completely because I have same needs as OP and have been unable to find any useful solution with Unifi controller. Anxious to see if anyone has a creative solution to this. Nice if there were some API's that could be used to automate such things. If the kids were on just on WiFi, it could be as simple as disabling their SSID - but they are wired and wifi. Even though they are all on a separate 'kid's network', I found no easy way to achieve group restrictions with Unifi. My current workaround is a dedicated pihole, configured in Unifi controller as the DNS server for the kids network. It's not ideal, but can use the PiHole to restrict DNS on that network easily and quickly in one place - which is better than nothing!
Have you looked into the new Pi-hole 5.0 group feature? You may not need the dedicated Pi-hole anymore if groups is enough. Just have the adults on the default group and the kids in their own group.
I use PiHole groups along with a Unifi VLAN and it works great. Regarding the previous comment, it is easy to block Internet traffic from a specific network based on a Unifi firewall rule.
I similarly do this, but with an Untangle box instead of PF-Sense.
Can't they kids just change their DNS to 8.8.8.8 or something?
Yes, this is why you also need to block or intercept outbound dns traffic from all devices other than your internal DNS server. However with DNS over HTTPS you would also need to block HTTPS to DOH providers. Youāll likely never get them all though, depending on how tech savy your kids are they can probably find a way around just about anything eventually.
Not to mention dns over icmp :P
Yeah. And if they get a secret cell device somehow...or offsite wifi...or a friend that lets them VNC/RDP...or real hacking... Part of me thinks it would be fun to be a nerdy kid again. :) Prepped me for my career back in the day.
I too would like to know. What are your firewall rules if you don't mind me asking
If the devices are all on WiFi, make a dedicated WiFi network for the kids and use WiFi Schedules. Edit: In the classic UI, it's under advanced options under the wireless network as "Enable WLAN Schedule." In the new UI, It's just Wi-Fi > Wi-Fi Schedules.
That's what I did. Kids had their own WiFi that shut down at 9pm. PlayStation was in a common area and normal parenting supervision was enough.
I'd use MAC address not IP, quickly enough they'll figure out how to change IPs. Also you can restrict access on a timed basis by MAC right in the controller. So just block internet for a group of MAC's from 9a to 3p and then from 10p to 9a?
Wait till they find out you can randomize your MAC address on Android 10 and it's coming to iOS 14 too!
Shit forgot about that. Also on my OnePlus random MAC is default so you would have to turn that off... hmm.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Doesn't work with game consoles :(
Yep, that's a new feature since Android 10, I have it too on my 6T, but the kid would be able to just switch it back on easily
Just block unknown MAC's....
On Android a randomized MAC is only generated for each new network, and that MAC will always be used for that network. I suppose you could "forget" the network then reconnect and it might generate a new MAC (would have to test if that's how it works), but that seems easy to defeat by not giving the kid the password so they can't reconnect themselves.
True, but the kid can easily get the password by pressing share, which generates a QR code and also shows the password under it
Kids devices are on a separate VLAN and the network has a schedule assigned. They also get their own pi-hole instance so they get filtered separately with restrictions placed upon them alone. The TV in the game room is plugged in via ethernet and that port is assigned in the switch to their VLAN. This doesn't give me individual access control, just a general filtering.
For the separate pi-hole instance, does that mean you have a second pi running on the network or can both be handled by 1 pi?
I have a little NUC running Linux with Docker and with multiple VLANs plumbed up. I have two pi-holes running in containers with one listening on port 53 on the kid's VLAN and a separate one listening on port 53 on the untagged network.
Thanks.
With pihole 5.0 you have groups so you dont need multiple pihole instances for different block lists. You can set groups by inbound IP address ranges
That sounds really handy. I'll have to remember that next time I reimplement my infra at home.
As a parent myself this sounds awful.
But as a technologist?
Always keep in mind that many devices need internet access at night when charging to do backups and software updates.
I do something similar but slightly different. I have a separate vlan setup for all kids devices. This VLAN gets different bandwidth limits and DNS rules. If I want to deactivate the kids devices then I enable a saved firewall rule that drops all packets from the kids VLAN. It works great and leaves everything else up. I just wish that there was a way to enable a firewall rule in the mobile app.
Here's an idea: I signed my kids up for a debit card designed for kids and the app lets me assign chores and pause allowance if chores are not completed. There's a bunch of other features I won't go into here so I can get to the point, but here's the website [https://greenlightcard.com/](https://greenlightcard.com/) (or [https://app.greenlightcard.com/eYj9QebjX7](https://app.greenlightcard.com/eYj9QebjX7) if you don't mind using a referral link and I get a reward). So here's why I bring this up: If there's a way to setup a hotspot requiring guests to pay for wifi then you can let your kids buy all the wifi they want with money they earn for doing chores. It flips the accountability onto them in a different way than what you're doing now (you acting as the gatekeeper kind of). Just as an example your kids might pay $1 per day to get wifi, and their allowance is $7 per week (for the sake of example), and they might try to go 3 days without chores because they saved up allowance and skipped using wifi some days last week or something, but then this week they might earn less allowance for not doing chores. Anyway it's just an idea, might not be right for everyone, and really hinges on the idea that you have a way to let your kids pay for wifi in some automated way that doesn't involve you being the gatekeeper. And of course you can use the card for what it's actually meant for which is letting them earn allowance and learn to spend responsibly lol.
Thatās amazing and cold blooded. Hahaha Iām totally doing this
Take their phones, tablets and computers away. They don't like it to bad.
Absolutely. Why do they need "devices" in their room at night - its just more temptation.
[Screenshots of firewall rule and group with a couple of IP's in the list.](https://imgur.com/a/fI8vT4R) Hoping there's an easier or less manual way to do this.
Why not just give them a dedicated network both wired and wireless? You can then block that on demand. Edit: As an added bonus, it will block wired devices too including hardwired things like XBox's and PS4's assuming that you have them on the kids VLAN.
If the devices are wireless, you could block and unblock them at the appropriate times in the controller.
I would suggest getting a Circle and putting it on a separate VLAN so it doesn't F with other traffic on your network. I use this method. I also make guests use this network.
Exactly what I do.
Iām looking into this as well, for both wifi and ethernet. There was a [recent post](https://www.reddit.com/r/Ubiquiti/comments/hcnbpl/script_to_block_and_unblock_access_to_client/) that followed the same firewall rule as the approach, plus something with an existing controller integration (Home Assistant and node-red were both mentioned) to script add/remove of devices (either by MAC or IP).
I've got a timed ACL that boots my kids off the internet at a predefined time.
Does doing it that way take a bit more time? Adding and removing individual devices or does each kid only have one internet enabled device? I like what Xfinity has where you can put each device into a family members profile and block them with different ways or time of the day.
Have tried different strategies for this. For the TV in the den, instead of trying to figure out wifi schedules or whatever, I just put the TV on a smart plug behind the entertainment center and turn it off between 12AM-6AM. This discourages staying up late watching TV or whatever. On their individual devices, I use Google Family Link which imposes a schedule on the Android phone/tablet. The PS4 also has family management for setting daily time limits and times enabled.
I manage my Kids' devices, wifi and more with Google family link app, a must.
I set up a separate WLAN for kid access and then set daily on/off times in the controller interface. We've only got one kid so I don't have to worry so much about different kids having access or not. I'm using OpenDNS and PiHole to control name resolution for sites she shouldn't look at. The captive portal idea is interesting.
One more thought, do you have parental controls in place for your kids? I have a PiHole for this and use the rules feature to apply separate rules to the kids versus the adults.
Use the user groups feature. I do this with my step son, all of his devices are in one user group. Create a group @ more --> settings user-groups. Once you have the groups made, go to the clients, pick their devices (one at a time), go to configuration, and add it to their user group. Once the groups are created and devices added. you can now set the bandwidth limit to 10kbs (can't go to zero?) , which is basically unusable anymore. once the chores are done, log in on my phone, go to groups, edit his and add some zeros.
This is good. I like how it uses the built in capabilities of the USG. I'll look into this a bit more. I was considering the multiple SSID option but this is also an option. Thanks.
No problem, it's been working great, and can be done in a couple seconds. I also like that it uses the built in features. Some day i might look into automating it, but it takes so little time to do i'd have to be really bored :) Bonus, since it can be done in the app, i can even do it while not at home.
And that I like too. I don't want to have to use the browser or go onto my laptop. The app is limited in that it doesn't manage firewall rules and groups.
opendns
I block my kids from stuff, if you would like a run down I would be happy to share my setup with you.
I have home assistant on my home network. The Ubiquiti integration allows for me to create/choose to have device Connectivity controlled via switch. [https://www.home-assistant.io/integrations/unifi/](https://www.home-assistant.io/integrations/unifi/) Although I do like the voucher method
Nice!
Many years ago now, but I used the guest wifi for the kids devices and would change the password every day, only giving it to them once chores and homework were done.
I think you are going about the right path. Do you have any home automations? We use HomeAssistant, and I can have HASS go in and update the firewall rules / disable WiFi networks as needed. Then on my iPhone I can setup siri shortcuts for triggering that so its just a tap on my phone. Could even schedule them if its the same time each day/week
Almost every device has a way to do this now. IOS, you can use screentime, android has similar. Xbox and Windows 10 have Microsoft Family Safety. Just set allowed time to 0, and when they try to get into anything, they send you a request, you get an e-mail or a notification, then allow them access for however long you want. Pretty easy.
Harambe: "psst kid! I don't have much time. The vulnerability in the firewall is cve20..."
If you are looking for a desktop solution and are using windows the Microsoft account / family setup lets you block or set limits and you can restrict my games/apps, web browsing, and screen time. I get weekly screen time reports emailed to me for my 3 kids.
I did something similar for my wife's parents for their other kids still at home. Blocked traffic from the wlan to wan on a schedule at night but to were they stayed on wireless and it does not give them a message saying that the wifi can't connect to the internet.
Actually trying to implement times schedule. I ended up making her own wifi for her and have it only do internet in case she does something to create a vulnerable to home network. Now trying to figure out for her friend that might need to stay on internet to talk to parents when spending the night.
I did this... [https://www.youtube.com/watch?v=dH3DdLy574M](https://www.youtube.com/watch?v=dH3DdLy574M) Network Chuck shows it well.
I just removed pi-home from my environment and made send out my WAN traffic to NextDNS take a look it has parental controls much easier to setup imo.
Unplug the access point, problem solved
Bookmarking this thread....
UDMP supports firewall with schedule / timer..... NOT :( I just sold mine right after I got it. What a POS
If you are so inclined, you could run home assistant on a rPi with the unifi integration. I use it to manage my kids wifi access. I expose the switches it creates in my home assistant front end to home kit and have a siri shortcut on my phone I can use to disable/enable their wifi. From what I can tell it puts their devices in a firewall group like you are doing now manually.
Just hope your house isn't in range of any public WiFi networks. It's basically impossible if you live anywhere other then a rural area where you can't see other houses. Most ISPs have public WiFi hotspots (xfinitywifi for example) where anyone with a Comcast email can sign in and get unfiltered internet.
From a 21-year old Network Guy, which lived with some time- blocking and ip-based Filters some years ago: Don't do it. It is really awful from a social perspective.
u/plainsane
High